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(54) System guaranteeing integrity of 
8 gambling system 

(57) Data and associated validation in- 
formation stored in a nonsecure loca- 
tion are verified as to integrity by 
cryptograph techniques. Verification 
activates a gambling system to operate 
in a gambler-responsive mode, and 
non-verification activates an alarm 
mode. The system is used in postal 
metering, electronic mail, electronic 
funds transfer and other source data 



processing systems. The validation In- 
formation is formed by deriving a first 
value from the data according to a first 
relationship, and then deriving the vali- 
dation information from the first value 
l>y means of a nonpublic derivation 
having an Inverse function. The valida- 
tion word is then associated with the 
data and stored in the nonsecure por- 
tion. Verification is accomplished by 
deriving 430 a first value fromihe data 
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by the fim relationship, and deriving 
450 a second value from the validation 
information by means of the inverse 
function. The first and second values 
are operatively related 450 to determine 
system integrity. All relationships are 
one way functions, in a preferred embo- 
diment In a preferred embodiment, the 
first and inverse second relationships' 
are public and the second relationship 
is secret 



21215*9 




■zio 



/ zzo 



MP 



ROM 



MISC. 



230 



NONSECURE 

MEMORY 

DEVICE 



I pNTERFACEl 
I '] PORT I 



(' 



21215€4 



0 




2121569 



SJb, 



SET SWSTEM TO TEST MODE PLAVEB NOW- 
RGSPOMSIVE tnooE 



ffeO^SBT ASIDE LAST N byTES OP IV1£^aofty 
COMTENiTS OF NON-SCAl-EO R.OAA AS 
VAUDPTIOIsl WORD Ua DEFIME REmAiiv>lNC- 
MEIVIORS CONTENTS -VECTOtlR. 



&30 



CompOTe INITEG-CR VALUE FCR.) FOR- REWAINt iMG- 
mEimoRC/ COKiTGNTS BASED OM'PUBUC PUNCTIONP. 



CopnPUTE INITEC-EI% V/AUUE. E(W) FROtw 
VALIDATION U)ORD BASED ON PUBLIC 
FOIMCTIOM E 



J 



SET Sy STEM TO 
PLAS16R-NON- RESPONSIVE 
ALARIVI MOPE 




yes 

llsJTe&RITy VERIFIED 



SET ss^sTEM To PLAt/EB- Responsive 



39o 



EXECUTE ALARKO 
CONTieoL- PROG4{AM 
FROM SECURE SEALED 
ROUA 



EXECUTE C-ftWIE CONTROL 

PRO&Rftin 
F ROK^ NON-SEALED ROJlA. 



/'iwstrllX 
Vanotheiv 




GB2121S69 A 



1 



SPECIFICATION 

A system and method for guaranteeing the integrity of a gambUng system 

5 This invention relates to secure systems, such as gambling apparatoCand more particulafiyiaa system for 5 
guar3nteeing the integrity of information content in the secure system, such as the control program of 
gambling apparatus. . u j ur 

h is often the case in electronic gambling systems that a microprocessor electronics based gamblmg 
system can be customized for different types of play by changing a memory device (such as an Ef ROM) or 

,0 by changing the memory device contents (such as by remotely downloading data into a read-write memory ^ q 
(RAM or EPROM). However, it is currently the practice of some state gambling commissions, such as New 
Jersey, U.S.A. to require a seal be applied to all cIncuitrY on each circuit board (including the EPROM or RAM) 
as part'of the certification process. Thus, Inventories must be maintained of the sealed boards for each of a 
plurality of machines, both in manufacturing output and maintaining a repair stock pile. This approach is 

IB both costly and inefficient, inasmuch as many machines have a common nucleus and utilize the same circuit |s 
board with a different control memory program for each of a plurality of games being selected by 
interchanging a memory device or its contents. . 

Although this approach is costly and cumbersome, there has heretofore been no alternative technique 
provided to perform the important function of guaranteeing the integrity of the gambling machines. 

90 In accordance with one aspect of the present invention, a system is provided wherein data and associated 20 
validation information stored in a nonsecure location are verified as to integrity by cryptographic techniques. 
Good Integrity verification activates the system to operate in a first mode, and bad integnty verification 
activates the system to operate in a second mode. In a preferred embodiment the system is a gambling 
system, with a first mode corresponding to user responsive operation and the second mode corresponding 

25 to an alarm mode. Other systems where the present invention would be useful Include postal metering, 25 
electronic mail, electronic funds transfer and other secure data processing systems. 

In accordance with another aspect of the present invention, the system has an interface port for 
communicating with an extemal device, such as a central control computer. Data and associated validation 
information are loaded into memory in the nonsecure location, end the system verifies the integrity of the 

30 data and associated validation information as stored in the memory by cryptographic techniques operativoly 30 
relating the data to the associated validation word. The system is activated to either a first or second 
operative mode responsive to a verification result of good or bad integrity, respectively. 

For example, a central computer could download information to one or a plurality of remotely located 
systems which would each verify the Integrity of the information received and stored In Its respective 

35 memory. Where the remotely located systems are gambling systems, the downloaded information can be 35 
odds, control programs, random number seeds, etc. 

In accordance with one of the illustrated embodiments of the present invention, a garnbling apparatus is 
disclosed having a secure portion which is certified and sealed by the Gaming Commission, and having a 
nonsecure portion, not sealed by the Gaming Commission, the integrity of which is verified by the secure 

40 portion. The secure portion of the gambling apparatus comprises a circuit board having a central processor 40 
and a first memory. The nonsecure portion of the gambling apparatus is comprised of a second portion of 
the circuit board, or an independent circuit board, having a second memory such as a nonsecure ROM, 
EPROM, or read-write memory (RAM). Utilizing cryptographic techniques, the integrity of the nonsecure 
portion of the system Is verified by the secure portion of the system. 

« The gambling system Is operable in three modes, and powers up in a test mode for verifying the integrity 45 
of the gambling system. Where a positive verification is made that the nonsecure memory (e.g. ROM) has 
satisfactory integrity, the system is activated to an operable mode responsive to player user control inputs. 
Alternatively, where the results of the test mode is a negative verification showing the nonsecure ntemorv 
does not have good integrity, and gambling system is forced to an Inoperable mode nonreaponsive to player 

go usercontrol inputs, and an alarm is activated. 60 
The nonsecure portion of the circuit board, the integrity of which Is cryptographically detectable, has a first 
nonvolatile memory (such as a ROM, PROM, EPROM or EEPROM nonvolatile memory or a read-write (RAM) 
volatile memory) having a validation word stored therein, the validation word being derived from the first 
memory contents according to a first relationship. The validation word is formed by deriving a first value 

55 from the first memory's contents. The validation word is then derived from the first value by means of a • 55 
nonpublic derivation having an inverse function. The validation word is then combined to form a part of the 
contents of the first memory. 

The secure portion of the circuit board has a processor and a second nonvolatile memory mounted 
thereon. The integrity of the secure portion is overt and detectable, such as by physical seal. The secure 

50 portionoftheboardincludesmeansforderivinga secondvsluefromthevalidationwordoftheflrstmemory go 
means of the inverse function. The secure portion also includes means for comparing the first andsecond 
values, and means for verifying the integrity of the second memory. The verification means activates the 
gaming system to the user reponsive play mode responsive to a comparison result of equality, or activates 
the gaming system to the user nonresponsive (alarm) mode responsive to a comparison result of inequality. 

55 The relationship for deriving the first value, the nonpublic relationship, and the inverse relationship of the 55 
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non-public relationship, are such that interrelating or cross deriving one to another is very complex and an 
extremely difficult and time consuming task. In a preferred embodiment, the encryption function is secret 
and the inverse function is public. 

A better understanding of the invention may be had from the following detailed examples, the detailed 
5 description being taken in conjunaion with the accompanying drawings in which: g 

Figure 7 is a perspective view of a gaming system such as a video slot gambling machine, illustrating one 
apparatus which can utilize the present Invention; 

Figure 2 is a top view showing one embodiment of a circuit board as contained in the gaming system of 
Hgure 1 having a secure portion and a nonsecure portion; 
1 0 Figure 3 is a flow chart illustrating one embodiment of the encryption method utilized in accordance with 
one embodiment of the present invention; 

Figure 4 is a flow chart of the decryption/test method as utilized in accordance with one embodiment of the 
present invention; and 

Figure SA-D are computer program listings for one embodiment of the present inention. 
IS Referring now to Figure 1, a gaming system is shown illustrative of one embodiment of the present 
invention. A housing 100 is provided which contains the necessary human player control interfaces as well 
as electronic circuitry and mechanical circuitry. Human player control inputs are provided, such as push 
buttons 1 10 and control handle 1 20. A viewing area, 130 such as video screen is provided on the front of the 
cabinet housing TOO for player viewing of the gaming machine response to player inputs. Coin shoots 1 40 
20 provided for accepting player coins and returning bent coins. The number of credits which the player has 20 
as well as the active game display are provided on the visual display means 130. For example, the gaming 
system of Figure 1 can be a slot machine gambling system having 3,4, or any number of reels, or may 
alternatively be any other type of gaming or gambling system. Where applicable, a pay out shoot 145 may be 
provided for outputting coins to winning players. 
26 Thehousing 100alsocontainsanelectroniccircuitboard200,as8howninfigure2.whichprovldesthe 25 
control and game electronic circuitry necessary to create the desired gambling system in conjunction with 
the video display 1 30 and user interface controls 1 1 0 and 120. Additionally, the housing 1 00 contains 
necessary power supplies, limit switches, etc. necessary to implement the remainder of the desired gaming 
system. 

30' Referring to Rgure 2, the circuit board 200 as discussed with reference to Figure 1 is shown in block 30 
diagram form. The circuit board 200 may be comprised of a single circuit board or of a plurality of circuit 
boards with appropriate interconnections provided. The circuit board 200 is comprised of two functionally 
separate unite, a sealed secured portion 210 and a nonsealed, nonsecure circuit portion 250. The sealed 
circuit board portion 210, as illustrated, contains a microprocessor 220, a read only memory (such as a ROM, 

35 PROM, or EPROM). and miscellaneous electronic and electromechanical circuitry 240. The sealed portion of 35 
the circuit board 210 represents the sealed portion of the gaming system in a physical sealing manner which 
would comply with a particular State Gaming Commission's requirements. 

The nonsealed portion of the circuit board, 250, contains an interconnection socket 260 for a memory 
device, (e.g. for a RAM, ROM, PROM, or EPROM). When the socket 260 provides interconnection for a 

40 read-write memory, RAM or EPROM, the data contents of the read-write memory cen be downloaded Into 49 
; the read-write memory. For example, a control program can be down-loaded from a remote site into the 
read-write memory of a local gambling system via an interface port 270 (Figure 2) of the local gambling 
system and the downloaded program verified by the secure portion of the circuit board in accordance with 
the teachings of the present invention. Multiple gambling systems can be configured to meet crowd 

45 selection patterns by specifying control programs either locally or remotely for each system. The systems 45 
can also be selectively forced inoperative by downloading appropriate control programs. This portion of the 
circuit board is not physically sealed, and thus the memory inserted into the ROM socket 260 can easily be 
changed or interchanged . While this is desirable from the view point of minimizing spare parts stock piling 
and maximizing manufacturing flexibility, the nonsealed socket does pose security risks and problems. 

50 However, in accordance with the present invention, cryptographic techniques are utilized to verify the 50 
integrity of the nonsecure portion of the circuit board, 250, via means of cryptographic processing by the 
secure portion of the circuit board, 210. The microprocessor 220 may be of any type, with its selection being 
made based upon desired operating speed, instruction set capabilities, and cost considerations. In addition, 
the microprocessor 220 may be comprised of a plurality of drcuits including a general purpose 

55 microprocessor (of a 4. 8, 16, 32, etc. bits register length), in conjunction with special purpose peripheral 55 
processors and interfece chips, such as number crunchers, fast Fourier processors, fast multipliers, etc. 

Referring to Figures 3 and 4, the methodology utilized to accomplish the invention of the illustrated 
embodiments can be more readily understood by reference to the encryption (Rgure 3) and decryption 
(Figure 4) flow charts. 

60 Referring to Figure 3, the encryption process utilized for creating a verifiably secure memory for insertion 
into the nonsealed socket 260 (of Figure 2) is illustrated in flowchart form. The procedure starts at step 300. 
Proceeding at step 310the last N bytes of the nonsecure memory are designated as a validation word W and 
reserved from the remaining contents of the nonsecure memory which is designed as the vector R. A control 
program which has been developed is loaded into the encryption systems memory and designated as the 

55 contents of the nonsealed and nonsecure memory (the vector R). The validation word W is as yet undefined, gg 
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but will represent the encrypted key to insure the integrity of the remainder of the contents of the memory. 
Proceeding to step 320 an integer value HR) is computed from the vector R by means of a one way public 
function F. F is a one vray function mapping R into an integer whose magnitude is comparable to Utat of one 
element of R. F need not be one to one, but should be such that changing R while leaving F(R) unchanged is a 
-'-^^difficult'taslu-The''function1=1s^a-publief uflcton'in-that ftis^lso utilized in the encryption process and may be 5 
discovered or known by members of the public 

Proceeding to step 330. a validation vimrd W is computed from the value RR) by means of a secret function 
D which maps words into words with an inverse function E which is a public encryption function. Thus, W = 
D(F(R)), and E(D) = 1 . Thus, when the function E is utilized in the encryption process, E (W) should equal F(R) 
10 only when the contents of the memory (the vector R and the validation word W) has not been tampered with. 10 
Thus, the integrity of the contents of the nonsealed nonsecure memory can be verified. 

Proceeding to step 340, the validation word W is placed in the memory locations which had been set aside 
as the last N bytes of the nonsealed memory. At this point the encryption proces has ended as evidenced at 
step 350. The contents of the nonsealed memory (vector R) plus the validation word (appropriately located in 
15 the last N bytes) can be committed to the nonsecure and nonsealed memory (e.g. ROM, EPROM, RAM). 15 
For further details on one way mapping functions, and public key cyrptography concepts, reference is 
made to the literature in general, such as "A Method for Obtaining Digital Signatures and Public Key 
Cryptocism Systems", by R.L Rivest, et al., as published in the February, 1978, Volume 21, Number 2 issue of 
the Communications of the ACM. at pages 120-126, hereby incorporated herein by reference. A second 
20 reference, "The Mathematics of Public Key Cryptograph/' by Martin E. Hellman, published in Scientific 20 
American, pages 146-157, 19, deals generally with the mathematics involved in public key cryptography, and 
is hereby incorporated herein by reference. Both of the aforementioned references deal with the general 
problem of secure electronics communication system, either for message transfer, or for funds transfer. The 
references address themselves to techniques to prevent tampering with new electronic communication 
25 systems and fund transfer systems and means to protect the vast quantities of private information such as 25 
credit records and medical history stored in computer data banks-Cncryption and decryp- tlon are utilized for 
transforming information so that it is unintelligible and therefore useless to those who are not meant to have 
access to it. Secondly, cryptographic techniques are utilized to insure that messages sent have not been 
tampered with, of critical concern in electronic funds transfer. 
3Q ■ Referring to Rgure 4, the decryption process is illustrated in flow chart form, illustrating one embodiment 30 
of the present invention. The process flow starts when the gambling system of Rgure 1 is powered up, at 
step 400. The process proceeds to step 410 where the system is set to the test mode, wherein the system is 
nonresponsive to players control inputs. The contents of the nonsealed portion of thecircuit board are 
examined by the secure sealed portion of the circuit board, by defining the last N bytes of the nonsealed 
35 memory contents as the validation word W, and defining the remaining nonsealed memory contents as a 35 
vector R, whose elements are the individual words of the nonsealed memory. 

Proceeding, as illustrated at step 430, the integer value F(R) is computed for the nonsealed memory 
contente represented as the vector R by means of the public function F. Next, an integervalue E(W)is 
computed from the validation word W based upon the public encryption function E. It will be recalled that the 
4Q function E is the inverse of the function D. Thus, E(W) = E(D(F(R))) = F(R) only when the contents of the 40 
nonsealed memory have not been tampered with. 

The decryption process proceeds as illustrated at step 450, where the computed value F(R) is compared to 
the computed value E(W). If F(R) = E(W), then the integrity of the nonsealed memory has been positively 
verified, and the gaming system flow proceeds as illustrated at step 480. The gaming system is set to a 
45 player responsive operable mode, wherein the coin chute and user controls are activated end the gaminp 45 
system becomes playable, as Illustrated at step 490. The control program contained in the nonsealed 
memory is executed by the processor in the sealed portion of the circuit board, 210, and the gaming system 
. operation proceeds under supervision of the control program. At this point the decryption and integrity 
verification procedure has been completed, as illustrated at step 600. 
5Q Referring back to decision block 450. where the result of the comparison of F(R) and E(W) results in a 50 
determination of inequality, the procedureal flow continues as illustrated at step 460. The gaming system of 
Rgure 1 is set to e player nonresponsive alarm mode. The user controls become inoperafive, and the system 
proceeds to execute an alarm control program, as preferably stored in the secure sealed ROM Illustrated at 
step 470. At this point the machine is disabled, and the operator is informed of the error condition. The 
55 tainted nonsealed memory device is removed from the nonsealed socket and the operator can choose 55 
between shutting the system down, or trying an altemte non-sealed memory integrated circuit Where the 
system is shut down, the procedural flow is ended, as illustrated at block 500. Where a new integrated circuit 
is placed in the ROM socket 460, the decryption procedure repeats starting again at step 400 with power up. 
In either event, the tainted memory chip should be turned over to authorities for evaluation as to tampering 
gQ or simply system or manufacturing error. 60 
Thus, in accordance with the discussion of the illustrated embodiment, herein, the ROM 230 in the sealed 
portion of the circuit board, 210, contains a verification program to monitor the security of the nonsealed 
portion of the circuit board 250 containing the plugged in nonsealed memory 260. The function F is a 
plublicly available function such that the signature F(R) provides e publicly available signature of the 
55 nonsealed memory contents less the validation check word W. while the encryption function E is publicly 65 
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available to provide for a publicly available encryption key check word E(W). By computing the validation 
check word W using a secret decryption key. function D. which is the Inverse of the public encryption 
function E, the integrity of the entire contents of the nonsealed memory (both the validation word Wand the 
remaining contents) can be protected and detected in accordance with the present invention's teachings. 

R An example may be Illustrative. Presume the nonsealed memory to be protected is an EPROM having a - g 
capacity of 2048 bytes. The last 8 bytes are set aside as the validation word W, and the remainder is 
partitioned Into 408 five byte words (Do, Di ... D407)-i>efine 408 prespecified integers {Pi. Pg. P407) and an 
additional prespec'rfied Integer P4ii8. Additionally, a large composite integer XNBase is prespecified. F(R) and 

• E(W) can then be computed as follows: 



1 = 407 

RR) =Z W| '^(modulo XNBase). 
i = o 



E(W) = VtT*" (modulo XNBase). 



The validation check procedure can be modified slightly such that if F(R) plusECW) (modulo XNBase) equal 

20 to 0 then the Integrity of the EPROM is questioned and the system goes to the alarm mode. This example in 20 
its modified format has been implemented with a BASIC language program and has been successfully tested 
on an EPROM from an electronic slot machine. The BASIC language program and EPROM object code 
hexdump listing are illustrated in Rgures 5a-d. While BASIC language was utilized in the illustrated program 
of Figure 5, any computer programming language could be utilized with an appropriate system. In the 

25 illustrated system of Figures 1-S, all arithmetic operations were exact modulo (XNBase), double predsion 25 
numbers exact to 1 6 digits. However, other cryptographic mathematical techniques could be utilized equally 
well, and implemented in accordance with the teachings of the present invention. 

It virill be understood by those skilled in the art that other functional and operative relationships between 
the data and validation infomiation can be used consistent with the teachings of the present invention. 

30 Furthermore, in performing the verification function, operative relationships in addition to or instead of 39 
comparison can be used consistent v/ith the teachings of the present invention. 

While there have been described above various embodiments of system and methods for guaranteeing 
the integrity of the control program of a gambling machine having sealed and nonsealed portions, for the 
purpose of illustrating the manner in vifhich the invention may be used to advantage, h will be appreciated 

3c that the invention is not limited thereto. Accordingly, any modification, variation, or equn^alent arrangement 35 
within the scope of the accompanying claims should be considered to be within the scope of the invention. 

CLAIMS 

40 1. A system for selectively operating in one of a plurality of modes responshfe to a determined system 40 
integrity comprising: 

(a) a nonsecure portion of the system having data and validation Information In a portion therein, 

(b) a secure portion of the system comprised of: 

(1 ). means for deriving a first value from the data according to a first relationship; 
45 (2) means for deriving a second value from said validation Information by means of a second 45 
relationship. 

(3) means for operatlvely relating said first and second values to determine system integrity, 

(4) means for activating said system to a selected operational mode responsive to said means for 
operatlvely relating, 

50 2. The system as in Claim 1 further characterized in that said nonsecure portion comprises a memoiy. 50^ 

3. The system as in Claim 1 wherein the Integrity of the nonsecure portion is cryptographically verifiable, 
and the Integrity of the secure portion is noncryptographically verifiable. 

4. The system, as inClaim 1 further characterized in that said validation information is derived from said 
data according to first and third relationships. 

.K S. The system as in aaim4wherein said second relationship isthe inverse of thethlrd relationship. 55 

6. The system as in Claim 1 further characterized in that said means for operatlvely relating provides bad 
and good system integrity outputs indicative of the determined system integrity. 

7. The system as in Claim 6 wherein said means for activating said system activates said system to a first 
operational mode responsive to good system integrity output and activates said system to a second 

gQ operational mode to a bad system integrity output. 60 
& The system as In Claim 1 further characterized in that said system is activated to a first operational 
mode responsive to a detemnination of good system integrity and said system is activated to a second 
operational mods responsive to a determination of bad system integrity. 

9. The system as in Claim 7 or 8 further characterized In that said first operational mode is a normal 
operational mode, and said second operational mode is an alarm mode. 65 



10. The system as in-Claim 4 or 5 wherein said first and second relationships are public and said third 
relation^.p .s^secr^^ in Claim 4 or 6 wherein said first, second and third relationships are one way functions. 
\i JhesystemM in Claim 1 wherein said first relationship is further characterized in that changing any 
~c ofthedatach-arigesminBrvHJdtt- — - - - — ^^-^^.....^^^-^.^^ 5 
13 They system as In Claim 1 further characterized as a gaming system. 

14! The system as in Claims 1 or 2 or 3 or 4 orS or 6 or 7 or 8 or 12 further charactenzed as a gaming 

^IS^'^The system as in Claim 1 0 further characterized as a gaming system. 

le! The system as in Claim 11 further characterized as a gaming system. 10 
^ vj' The system 8S in Claim 9 further characterized as a gaming system. 

1b' The system as in Claim 17 wherein said norami operation mode is a player-responsive mode. 

19* The system as in Claim 13 further characterized in that said secure portion is physically sealed. 

20* A system as in Claim 1 or 13 further characterized in that said data and validation information are 
IK loadedintosaidnonsecureportlonfromanapparatusremoteiyloratedrelBth^etothesystem. is 

21. Thesystem as inClaim 1 or 13whereinsaid nonsecure portion includes a memory, and said secure 
portion includes a processor and a memory. 

22. The system as in Claim 1 or 13further comprising: 

interface means for communicating with a device external to the system. .^^^^ ^ 

20 meansforloadingthenonsecureportionwrithreceivedcommunlcationsresponslvetotheinterface 20 

""S^^The system as in Claim 22 wherein said received communications is further characterized as said 
data and validation information. 

24. The system as in Claim 22 further comprising: , u _ 

« meansforcommunicatingthedeterminedsystemintegritytoadeviceexterna tothesystem. 25 

2B -me system as in Claim 1 or 13 wherein said secure portion of the system is remotely located relative 

to said IJ^^^^'J^^PJg'^;^-,,,^ , 13 wherein said secure portion comprises a processor and a memory, 
whereinsaidprocessorexecutesinstmctionsfromsaidsecurememorytodenvesaidflrstandsecond ^ 

30 ^^g^ ,^ g ^rther characterized in that said first mode is a player responsive mode, 

and said second mode is a player nonresponsive mode. 

28. The method as in Claim 27 wherein said second mode activates an alarm. 

29. A system for insuring the integrity of a remotely located downloaded memoiy comprising; 

35 (a) a controller including encryption circuitry for deriving validation information from data by means of a 36 
first relationship and a second relationship having an inverse, 

(b) a system, remotely located relative to said controller, including a memory, 

(c) means for communicating date and validation Information from said controllerto said remotely 
located system for storage In said memory, 

Af, <d) verification means comprised of: .,..t„„.i.i.,. 

(1 ) mea ns f or deriving a firet value from the data contente of the memory by said first relationship, 

(2) means for deriving a second value from said validation Information by said inverse relationship: 

(3) means for operatWely relating said first and second values for providing an output indicath« of 
system integerhy, and , ^ ^ ^ 

(4) means for manifesting an action responsive to said system Integrity output. 4S 
^ 30. The system as in Claim 29 wherein said verification means is remotely located relative to said 

"^SlT^-me system as in Claim 30 further characterized in that said first relationship and inverse second 
relationship are public and said second relationship is secret 
cn 32. The system as in Claim 30 wherein said remotely located system is a gaming system. 50 
33. The system as in Claim 3D wherein said first, second and Inverse relationships are one-way mapping 
functions.^ system as in claim 30 wherein said action Is further characterized as activating said system to a 
normal operable mode responsive to an output of good system Integrity, and activating said system to an 
CE alarm mode responsive to an output of bed system Integrity. . j ,j . ^ 

35. The system as in Claim 30 wherein said remotely located system is further comprised of date 

'"sT^ThS S"em as in Claim 30 wherein said controller is operatively coupled to selectively communicate 
with a plurality of remotely located systems. . . . ^ ^ 

go 37. ThesystemaslnClaimSefurthercharacterizedinthatatleastoneofsaidremotelylocatedsystems 60 

It'rhe^mas in Claim 37 wherein each of said remotely located systems is operatively configured 
responsive to communications from said controller to the respective remotely located system. 
39. A gaming system comprising: 
g5 (a) a circuit board; ^ 
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(b) a nonsecure portion of the circuit board, the integrity of which is cryptographlcally detectable, havmg 
a memory having data and validation information stored therein, wherein the validation information Is 
derived from the data information according to a public first relationship and a secret second relationship 
having a public inverse relationship; 
5 . .(c) — a secure;portion of_the circuit board having processing electronics mounted thereon,the Integrity of 
the secure portion being detectable, 
wherein said secure portion of the circuit board is further comprised of: 
(1 ) means for deriving a first value from the data omf pr, atopm according to the public first 
relationship, ^ ,^ ^„ , 

,0 (2) means for deriving a second valuefrom said validation won! by means of said public Inverse 
relationship, 

(3) means for operating on said first and second values to provide an Integrity signal, 

(4) means for activating said system to a first mode responsive to a first integrity signal indicative of 
good system integrity, and 

,5 (5) means for activating said system to a second mode responshre to a second integrity signal 
indicative of bad system integrity. 

40. The system as in Claim 39 wherein said secure portion Is further comprised of a processor and a 
second memory. 

41. The system as in Claim 39 wherein said first, second and inverse second relationships are one-way 
20 function^. 

42. A system as in Claim 39: 

wherein said first relationship has the characteristic that changing tiie contents of said memory changes 
said first value. 

43. The system of Claim 39: 

25 wherein said second relationship is a one-way trap-door function. 

44. A gaming system comprising : 

(a) a cabinet having a display area and a user control; 

(b) a circuit board mounted within the cabinet; 

ic) a nonsecure portion of the circuit board, the integrity of which is cryptographlcally detectable, having 
30 a memory having data and validation information stored therein, wherein the validation infomation is 
derived, by means of a second relationship having an inverse relationship, from a first value derived from 
end changing according to a first relationship responsh'e to the data contents; 

(d) a secure portion of the circuit board having verifiably good integrity comprising: 

(1 ) means for deriving a second value from the data contents of the first memory according to the first 
35 relationship, , 

(2) means for deriving a third valuefrom said validation information by means of said inverse 
relationship, 

(3) means for providing an integrity output responsive to opening on said second and third values, 
(4J means for activating said system to a first mode responsive to a first integrity output, and 

40 (5) means for activating said system to a second mode responsive to a second integrity output 

45. The system as in Claim 44 wherein said first integrity output is indicative of good system integrity, 
and said second integrity output is Indicative of bad system integrity. 

46. The system as in Oaim 45 wherein said flrst mode is further characterized as activating said system 
to a user control responsive system. 

46 47. The system as in Claim 45 or 46 wherein said second mode is further characterized as activating an 
alarm. 

48. A gaming system operable in a player responsh/e mode and an alarm mode, comprising: 
a first nriemoiY having data and validation information contents therein, vwherein said validation . 
information is operatively associated with the remaining contents of the nonsecure memory 



means for validating the imegrity of the first meniory comprising: 

means for executing instructions from the secure memory so as to derive a first value operatively 
associated with the data contents of the first memory; 

means for executing instructions from the secure memory so as to derive a second value operatively 
55 associated with the validation information; 

means for providing a good/faulty system integrity result output responsive to operathrely relating said 
first and second values; 

means for activating said gaming system to said alarm mode responsh« to a result output of faulty system 

integrity; and 

go means for activating said gaming system to said player-responshre mode responsive to a result output of 
good system integrity. 
49. The system as in aaim 48: 

wherein said first relationship has the characteristic that changing the contents of said first memory 
changes said first value. 
05 50. Agaming system as in aaim 48 or49: 
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wherein said validation information is derived from said first value. 

51 . The system as in Claim 48 wherein said first, second and inverse second relationships are one-v»ay 

^52.'° A system for insuring the integrity of information loaded into the system, comprising: 
c la) a memory having inrtially undefined contents; ® 
b) means for loading data and validation information into thecontents of the memory wrhereln said data 
is related to said validation Information according to a public first and a secret second relationship; 
(c) means forverifying the integrity ofthe loaded contents comprising: , . . ^^^^ 

<1 ) means for deriving a first value according to the first relationship responsive to the data contents of 

^0 the 1^2^'"^'^^^ deriving a second value according to a public inverse ofthe second relationship 
responsive to the validation information. 

(3) means for operatively relating the first and second values to provide an Integrity output indicatjve 
of good and bad integrity of the memory contents, , 

,5 (d) means for«)ntrolling the operable status ofthe system further compnsmg: ,. 

(1) nwansfor activating said system to a normal operational mode responsiveto the good integrity 

outp^ * means for activating said system to an alann mode responsive to said bad integrity output 
• 53. The system as in Claim S2:' 
20 wherein said system is a gaming system. 2U 
54. ThesystemasinClBim53furthercomprising: 

an interface port for communicating with an external device; , w*„ 

means responsive to said interface port for loading said memory with the communications received from 

,c "k^'^-S sysSlS^as in Claim 53 or 54 wherein said memory is located in a nonsecure portion ofthe second 25 
system, and said means for verifying the integrity and means for conUolling the operable status are located 
in a secure portion of the second system. .»ih ,,««,-i 

56 The system as in Oaim 62 or 53 having user responsive input means, wherein said normal 
operirtional mode Is further characterized as being responsive to said user responsive ^ 
30 67. A method ofcontfolling the operable mode of a system having a memory with data and validation 30 
information contents, comprising the steps of: . , ut 

deriving a first value from the data contents according to a first relationship, 

deriving a second value from the validation information according to a second relationship; 

operatively relating said first and second values so as to determine system Iritegrity, 

activating the system to a selected operative mode responsive to the determined system integnty. 35 

58. The method as in Claim 57 further characterized in that said system is a gaming syrtem. 

59. The method as In Claim 57 further characterized in that said validation information is derived from 
said data content according to the first relationship and an inverse to the second relationship. 

60. The method as in Claim €9 further comprising the steps of: . . ^ ^ ^ ■ „ 
40 octhrating the system to a normal operative mode responsive to a determination of good system integrity, 40 

'"ithrating said system to an alarm operative mode responsive to a determination of bad system Integrity. 

61. The method as inClaim 57 or 58 further comprising the steps of: 
making the first and second relationships public; 

45 maintaining the inverse to the second relationship in secrecy. 4S 

62. ThemethodasinClaimB7or58furthercompri8ingthestepsof: 

deriving saidfirstvalue by means of a function which exhibits the characteristic that changing any of the 
contents of the nonsecure memory changes the first valuft . ^ ^ *..,.i.«r 

63. The method as in Claim 62 wherein said validation information is derived from said first value, further 
en comprising the steps of : , ^ ^ ■ ... » . 

determining said second value from said validation information by means of an inverse derivation to that 
by which the validation information is obtained from the first value. 

64. A method for creating a memory having verifiable secure data contents compnsmg the steps of: 
deriving a first value from the data contents ofthe memory by a first relationship wherein chenging the 

gc contents of the memory changes the first value; B5 
deriving a validation value from said first value by a second relationship having an inverse 
relationship;end 
storing and validation value in said memory-contents. 

65. A method of verifying the integrity of a memory having data content and validation value content 

50 related to said data content by first and second relationships, comprising the steps of: 60 

deriving a first value from the data content ofthe memory by the first relationship; 

deriving a second value from said validation value by an inverse to said second relationship; 

providing an integrity output Indicative of good and bad system integrity responsive to operatively 
relating the first value and the second value; ■ u. ^ 

55 providing a first activation signal responsvie to said integrity output indicating good system integrity and 65 
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providing a second ectivation signal responsive to said integrity output Indicating bad system integrity. 

66. The method of aaim 64 or 65 wherein said first relationship and Inverse second relationship are 
public and said second relationship is secret 

68. In a system, having a sealed secure circuit portion comprising a processor and a first memory, said 
5 system also having an insecure gircuit portion comprising a second memory, a method of insuring the 

Integrity of the insecure poriion'df the system domprising the steps of; 

derh/ing a first value from the data content of the second memory by a first relationship wherein changing 
the contents of the second memory changes the first value; 

deriving a validation value from said first value by a second relationship having an inverse relationship 

10 

storing said validation value at a predefined location In said second memory. 

69. The method as In Claim 68 further comprising the steps of: 

(a) verifying the integrity of the second memory by means of said secure portion, further compnsmg the 

(1) ' deriving a third value from the contents of the second memory by said first relationship; 

(2) deriving a fourth value from said validation value by said inverse relationship; and 

(3) operatively relating the third value to the fourth value and providing a relational output; and 

(b) controlling tiie operable status of the system further comprising the steps of: 

(1 ) acthrating said gaming system to a nonnal-responsive mode responshra to said relational output 
20 Indicating good system Integrity, and , . u ^ _ 

'"■ acthrating the system to an alarm mode responsive to said relational output indicating bad system 



" 70. TTie method of Qalm 68 or 69 further characterized in that said first and inverse second relationships 
are public and said second relationship is secret 

71. The method of Claim 70 further characterized in that said second memory Is nonvolatile. 25 

72. The method of Claim 68 or 69 further characterized in that syste m is a gaming system. 

73. The method of Claim 69 further characterized in that said normal-responsive mode Is a player 
responsive mode, and said alarm mode is a player nonresponsive mode. 

74. A method of Claim 71 wherein said step of operatively relating further comprises the steps of: 

,0 comparing the magnitude of said first and second values, and indicating said good system integrity by a 3q 
relational result of equality, and Indicating said bad system integrity by a relational result of inequality. 

75. The metiiod of Claim 71 further characterized In that said first se«;ond and inverse second 
relationships are one-way mapping functions. 

76. In a gaming system, having a player responsive mode and a player nonresponsive alarm mode, asid 

OR system comprising a nonsecure memory having data and validation Infomiation, said validation irrformatlon 35 
being operatively related to the data, said sytem also having a secure memory, a method for selectively 
activating the system to a predetermined mode responshre to validating the integrity of the nonsecure 
memory, comprising the steps of: t u 

(a) executing instructions from the secure memory so as to derive a first value representative of the 

^0 contents of the nonsecure memory; . ^ ^ 

(b) executing Instructions from the secure memory 80 as to derive a second value representative of the 
validation word; 

(c) operatively relating the first and second values to provide an indication of system integrity; 

id) activating said gaming system to said player nonresponsive alarm mode responsive to an indication 
45 of improper system integrity; - ^, ^ ^ 

(e) activating said gaming system to said player-responsive mode responsive to an indication of good 



77. The method as In Claim 76 further comprising the steps of: 
deriving said first value by means of a function virhlch exhibits the characteristic tiiat changing anyofthe 
5Q contents of the nonsecure memory changes the first value. 
7& The method as in Claim 77: 

wherein said validation word is derived from said first value, further comprising the steps of: 
determining said second value from said validation word by means of an inverse derWation to that by 
which the validation word Is obtained from the first value, 
gg 79. The method as in Claim 76 wherein said first value is derived by 
operatively relating said data to a first functional mapping; and 

furthercharacterized in that said validation information is operetiveiy related to said first value according 
to a second functional mapping, 
wherein said second value Is derived by 
gQ operatively relating said validation Information to an inverse of said second functional mapping 
80. ThemethodofClaim57or68or76furthercomprislngthestepsof: 

communicating said data and associated validation Information to the systenri from a source external to 
the system; 

storing said communicated data and associated validation infonnation In said memory, 
gg 81. A method for controlling the operative mode of a system, having local and remote devices 
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responsive to determined Integrity of communicated information comprising the steps of: 

operating upon data information at the remote device according to first and second relationships to derive 
validation information, 

communicating said data and validation information from the remote device to the local device, 
5 operating upon said data information at the local device, according to said first relationship, to denve a 5 
first value; ' .. . * u j 

operating upon said validation information at said local device, according to an inverse of said second 
relationship, to derive a second value; ..... -^r-^ ^ a 

controlling the operative mode of the system responsive to operatively relating«Bid first and second 

10 ^Ji^^-^j^^ method as in Claim 81 furti^er characterized in that tfiere are a plurality of local devices, wherein 
the step of controlling the operative mode of the system further comprises the steps of: 

selectively controlling the operatwe mode of each of said local devices responsive to the operative 
relationships for each respective first and second values. 
-K 83 The method as in Claim 81 further comprising the steps of: 15 
deriving said first value by means of a function which exhibits the characteristic that changing any of the 
contents of the nonsecure memory changes the first value. . x 

84. The method as in Claim 81 wherein said validation information is derived from said first value, further 

20 "drterminlng*^'^^ value from said validation information by means of an inverse derivation to that 20 
by which the validation word is obtained from the first value. 

85. The method as in Claim 81 further characterized In that said first and Inverse second functional 
relationships are public, and said second functional relationship is secret 

86. The method as in Claim 81 or 85 further characterized in that said first second and Inverse second 
91: functional relationships are one-way functions. , j _^ 

87 A system for selectively operating in one of 8 plurality of modes responshre to a determined system 
integritysubstantiailyashereindescribedwittireferencetotheacoompanylngdravinngs. 

88. A system for insuring the integrity of a remotely located downloaded memory substantially as herein 
described with reference to the accompanying drawings. . 
on 89 A gaming system substantially as herein described vwth reference to the accompanying drawings. 30 

90. A gaming system operable in a player responsive mode and an alamn mode substantially as herein 
described with reference to the Bccompanyingdrawfings. , 

91 . A system for insuring the integrity of information loaded into the system substantially as herein 
described with reference to the accompanying drawings. . ,,j . 

3B 92. AmethodofcomrollingtheoperablemodeofasystemhavlngamemorywIthdataandvalidBtion 38 
information contents substantially as herein described whh reference to the accompanying drawings. 

93. A method for creating a memory having verifiable secure data contents substantially as herein 
described with reference to the accompanying drawings. 

94. A method for verifying the integrity of a memory having data content and validaton value content 

40 related to said data content by first and second relationships substantially as herein described with reference 40 
to the accompanying drawings. 

95. In a system, having a sealed secure circuit portion comprising a processor and a first memory, said 
system also having an insecure circuit portion comprising a second memory, a method of insuring the 
integrity of the insecure portion of tiie system substantially as herein described whh reference to the 

AK accompanying drawings. . , ^ ,j *^ 

96. In a gaming system, having a player responsive mode and a player nonresponsive alarm mode, sa d 
system comprising a nonsecure memory having data and validation Infonnation, said validation inforrnation 
being operatively related to tiie data, said system also having a secure memory, a method for selectively 
activating the system to e predetennined mode responsWe to validating the Integrity of the nonsecure 

50 memory, substantially as herein described with reference to the accompanying drawings. 60 

97. A method for controlling the operative mode ofa system, having local and remote devices 
responsh/e to determined integrity of communicated informetion substantially as herein described vAth 
reference to the accompanying drawings. 
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